WiFi using FortiAuthenticator RADIUS with Certificates

This recipe will walk you through the configuration of FortiAuthenticator as the RADIUS server for a FortiGate wireless controller. WPA2-Enterprise with 802.1X authentication can be used to authenticate wireless users with FortiAuthenticator. 802.1X utilizes the Extensible Authentication Protocol (EAP) to establish a secure tunnel between participants involved in an authentication exchange.

EAP-TLS is the most secure form of wireless authentication because it replaces the client username/password with a client certificate. Every end user, including the authentication server, that participates in EAP-TLS must possess at least two certificates: 1) a client certificate signed by the certificate authority (CA) and 2) a copy of the CA root certificate.

This recipe specifically focus on the configuration of the FortiAuthenticator, FortiGate and Windows 7 computer.

1. Creating a local CA on FortiAuthenticator

The FortiAuthenticator will act as the certificate authority for all certificates authenticated for client access. To enable this functionality, a self-signed root CA certificate must be generated.

On the FortiAuthenticator, go to Certificate Management > CertificateAuthorities > Local CAs. Click Create New. Complete the information in the fields pertaining to your organization.

2. Creating a local service certificate on FortiAuthenticator

In order for the FortiAuthenticator to use a certificate in mutual authentication (supported by EAP‐TLS), a local services certificate has to be created on behalf of the FortiAuthenticator.

Go to Certificate Management > End Entities > Local Services. Click Create New. Complete the information in the fields pertaining to your organization.

3. Configuring RADIUS EAP on FortiAuthenticator

In order for the FortiAuthenticator to present the newly created Local Services certificate as its authentication to the WiFi client, the RADIUS­‐EAP must be configured to use this certificate.

Go to Authentication > RADIUS Service > EAP. Click Create New. Select the corresponding Local Services certificate in the EAP Server Certificate section. Choose the Local CA certificate previous configured in the Local CAs section.

4. Configuring RADIUS client on FortiAuthenticator

The FortiAuthenticator has to be configured to allow RADIUS clients to make authorization requests to it.

EAP-­‐TLS should be the only EAP type selected to prevent fallback to a less secure version of authentication if a certificate is not presented by the WiFi client.

5. Configuring local user on FortiAuthenticator

The authentication of the WiFi client will be tied to a user account on the FortiAuthenticator. In this scenario, a local user will be configured but remote users associated with LDAP can be configured as well.

6. Configuring local user certificate on FortiAuthenticator

The certificate created locally on the FortiAuthenticator will be associated with the local user. It is important to note that the Name (CN) must match the username exactly of the user that is registered in the FortiAuthenticator (i.e. eap‐user).

9. Importing user certificate into Windows 7

On the Windows 7 computer, double-click the downloaded certificate file from the FortiAuthenticator. This will launch the Welcome to Certificate Import Wizard. Click Next.

Make sure the correct certificate is shown in the File Name section in the File to Import window. Click Next.

Below Password, type the password created on the FortiAuthenticator during the export of the certificate. Select Mark this key as exportable. Leave remaining defaults. Click Next.

In the Certificate Store, choose the Place all certificates in the following store. Click Browse and choose Personal. Click Next, and then Finish. A dialog box will show up confirming the certificate was imported successfully.

Modify the newly created wireless connection EAP-TLS by right clicking and choosing Properties.

On EAP-TLS Wireless Network Properties, Under Choose a network authentication method select Microsoft: Smart card or other certificates. Then click on Settings.

On Smart Card or other Certificates Properties. Under When connecting, select Use a certificate on this computer, and check Use simple certificate selection. Click OK and click OK.

Please note, for simplification purposes, the Validate server certificate has been disabled but EAP-­‐TLS allows the client to validate the server as well as the server validate the client. To enable this, you will need to import the CA from the FortiAuthenticator to the Windows 7 computer and make sure that it is enabled as a Trusted Root Certification Authority.

The configuration for the Windows 7 computer has been completed and the user should be able to authenticate to WiFi via the certificate without using username and password.

11. Results on FortiAuthenticator

When the user attempts to authenticate to WiFi using the certificate, they will have a specific log entry in the FortiAuthenticator.

12. Results on FortiGate

The log on the FortiGate shows plenty of details, such as the client’s MAC address, IP address, SSID, Security Mode, Encryption, AP, Radio, Band and Channel

This site uses cookies. Some are essential to the operation of the site; others help us improve the user experience. By continuing to use the site, you consent to the use of these cookies.AcceptPrivacy policy